The Definitive Guide to CISA Certification in 2022-23

Certified Information Systems Auditor (CISA) is a certification conferred by the Information Systems Audit and Control Association (ISACA) that validates an IT professional’s understanding of maintaining, safeguarding, operating, and implementing information systems per the appropriate governance. This article discusses the CISA examination costs, possible salary expectations, and career opportunities in 2022. 

What Is A CISA Certification?

Certified Information Systems Auditor (CISA) is defined as a certification provided by the Information Systems Audit and Control Association (ISACA), which ratifies an IT professional’s knowledge of managing, protecting, operating, and implementing information systems with the proper governance. 

CISA is an internationally acclaimed standard for evaluating an IT auditor’s knowledge, skill and expertise in assessing vulnerabilities and establishing IT controls in an organization. Holders of CISA are tasked with monitoring, managing, and protecting an organization’s information systems. By inspecting procedures and products and using risk mitigation measures to minimize cyber threats and breaches, they guarantee that the technical needs of a company are satisfied without introducing system vulnerabilities.

Five stages are required to get CISA certification.

  • Register and prepare for the CISA exam: When registering, applicants may take the exam online with a remote proctor or in person at one of the available test locations. They should ensure they take the exam within a year of registration; otherwise, they forfeit the fee. After registration, applicants may prepare independently by creating a study guide or following an ISACA-approved review manual. The ISACA has a database that contains review questions, answers and explanations that applicants can access.
  • Take and pass the CISA exam: The CISA examination is organized into five areas and is offered in ten languages to accommodate a large candidate pool. The CISA examination consists of 150 multiple-choice questions and lasts four hours. Applicants are required to score at least 450 points. First-time applicants can retake the CISA exam if they score less than 450 points. Successful applicants are notified immediately and receive an official notification from ISACA within ten days.
  • Acquire the necessary job experience: To apply for CISA certification, applicants must have at minimum five years of experience in a position linked to control, security, or IT auditing. Applicants may take the exam with, without or even midway through this work requirement. Applicants with the necessary work requirement must take the exam within ten years of their first year of work. Those who take the exam must complete the work experience within five years of passing the test.

ISACA allows applicants to substitute education experience in place of work experience with selections such as auditing, master’s degree or university credits. With these, ISACA requires that applicants complete at least two years of work experience to qualify. 

  • Apply for certification: Applicants can apply for certification after passing the exam and completing the required work experience. This application also contains an agreement to adhere to ISACA’s code of professional ethics.
  • Maintain the certification: As part of its continuing professional education (CPE) program, ISACA specifies that all successful candidates who obtain certification must renew their candidacy every three years. Candidates are required to report a minimum of 20 hours of CPE annually and 120 hours over three years. They are also required to pay an annual maintenance fee. 

Who should pursue a CISA certification?

Information security auditors, chief risk officers, compliance heads and IT professionals responsible for information security should obtain a CISA certification. Experts in these fields are interested in assessing and auditing information systems and their associated security and access controls, providing a crucial understanding of the vulnerabilities that can seriously impact an organization’s operations.

See More: Top 10 Online Cybersecurity Courses and Certifications in 2022

CISA Certification Course Curriculum

ISACA has been offering the CISA certification since June 1978. Over the years, the course curriculum of the CISA certification has undergone modifications to align with the ever-changing business environment of IT auditors. ISACA did the last revision in 2019.

The CISA certification course curriculum is currently organized into five different sections, also called domains, with each segment receiving a certain percentage in the CISA exam. These domains are further divided into sub-domains. Applicants must study all the disciplines to pass the CISA exam. To better comprehend these areas, they may get a version of the CISA study handbook and a duplicate of the answers and questions CDs.

The five domains of the CISA course curriculum include:

1. The information systems auditing process

The process of auditing the information systems domain covers 21% of the CISA exam. It focuses on how IT auditors provide services following IT audit standards to enable the organization to protect and control information systems. This domain gives more information on the audit charter, its contents, and steps for audit planning.

In this domain, applicants are tasked with developing and implementing a risk-based IT audit strategy, planning and conducting the audit, and reporting findings. Applicants must also demonstrate their abilities to apply these standards and regulations in a real-life setting.

Applicants must also specify the ISACA IT assurance and audit regulations, guidelines, tools, procedures, professional ethics charter, and other relevant standards. Applicants are tasked with recalling standards 1 (S1), S2, S4, S9, and S10.

The auditing information systems domain is further divided into seven more subdomains that applicants must understand. These include risk evaluation, internal control systems, regulation self-assessment, the developing IS audit process, IS audit function management, and ISACA IT auditing and assurance norms and recommendations.

2. Governance and management of IT

17% of the CISA test is devoted to the governance and administration of the IT sector. It examines how IT auditors ensure organizational structures and procedures are in place. It also contains additional segments from the old domain 6 that ISACA removed in the business continuity section.

In this domain, applicants are tasked with appraising the efficiency of the IT governance structures, human resource management, organizational structures, and policies and standards to determine whether they are aligned with the organization’s mission and objectives.

In this domain, applicants must recall the corporate governance definition and describe ISO 26000. They are also required to represent the organization for economic cooperation and development (OECD) principles of corporate and IT governance. Additionally, applicants must identify the five focus areas for this domain, be familiar with the different frameworks, and describe the audit’s role.

The IT governance and management domain is further divided into 13 subdomains like corporate governance, IT monitoring, process improvement models, IT investment and allocation, information security (IS) management practices (and five sub-areas under this), business continuity planning, etc.

3. Information systems acquisition, development, and implementation

12% of the CISA test is devoted to questions about the design, development, and deployment of information systems. The domain focuses on the role of IT auditors in ensuring that the organization’s information systems are developed, tested, and implemented to enable the company to achieve its goals. 

This domain contains a lot of information that applicants are supposed to demonstrate an adequate understanding of. For instance, the applicants must know the difference between program management and portfolio management, the significant risks involved in agile software development projects, and at which phase testing begins. 

Also, it is up to the applicants to know how to evaluate proposed investments in IT acquisition, development, maintenance, and retirement. They must also assess project management practices and controls and conduct reviews. 

This curriculum domain is further divided into 14 subdomains that applicants are required to understand. These cover business realization, project management, business applications, alternative development methods, productivity aids, and several others.

4. Information systems operations and business resilience

23% of the CISA examination is devoted to “information systems operations and business resilience.” It focuses on ensuring that the information systems operations, maintenance, and support processes meet the organization’s mission and objectives. It is considered one of the most critical domains in the CISA curriculum or syllabus.

This domain includes segments on disaster recovery from the old domain 6, which is no longer part of the CISA curriculum. It informs applicants on what to do in the event of data loss, what acceptable data loss is, and how to manage these issues. It also requires applicants to conduct periodic IT reviews and evaluations such as operations, end-user procedures, and service-level management practices.

The information systems operations and business resilience domain are further subdivided into more subdomains that applicants must learn. These are information systems operations, hardware, architecture and software, network infrastructure, auditing infrastructure and operations, and disaster recovery planning.

5. Protection of information assets

Protecting information assets (an interdisciplinary domain intersecting with cybersecurity) covers 27% of the CISA exam. It looks at how IT auditors ensure that the organization’s security policies, standards, procedures, and controls protect information assets’ integrity, privacy, and availability. This domain, alongside the fourth one, is considered the most important domain of the CISA syllabus.

Applicants are tasked with appraising this domain’s information security policies, standards, and procedures. They are also tasked with designing, implementing, and monitoring logical security and environmental controls, data classification processes, and physical access.

The protection of information assets domain is further divided into eight more subdomains that applicants must focus on. These include logical access, network security, auditing information security management frameworks, environmental exposures and controls, and mobile computing, among other topics.

See More: Top 10 Masters in Cybersecurity Programs in 2022

CISA Certification Cost

The CISA certification process can cost approximately $1,000 or more, depending upon the route one takes. The following are the costs involved with acquiring the CISA certification, divided into five segments:

  • ISACA membership cost: The first category of ISACA membership is the professional category, where new members can pay up to $310. The next category is the recent graduate category, where new members can pay up to $140. The last category is the student category, where new members can pay up to $55.
  • CISA exam cost: The CISA exam fees are non-refundable and non-transferable. They include the expenses the organizations accrue with exam proctors, the scoring process, and using the testing center. Members of ISACA pay $575, while non-ISACA members pay $760 for the CISA exam. 
  • CISA certification cost: All successful applicants who have met the required eligibility criteria must pay an application processing fee of $50 when submitting their CISA certification application. 
  • Annual maintenance fee: ISACA members must pay an annual fee of $45, while non-ISACA members pay a yearly fee of $85 to maintain their CISA certification.
  • Miscellaneous CISA certification costs: Applicants must fund the cost of their study materials or courses they may use. The cost of study materials ranges from $40 for a study guide, while the official CISA review manual and question database cost up to $300.

See More: Cyber Security Degrees: Types, Comparisons, and Best Practices for Selection

CISA Salary In 2022

CISA is among the most in-demand certifications today, with over 151 000 experts already certified by ISACA as of 2022. According to Skillsoft data (last updated on October 5, 2022), the CISA certification is among the top 15 best-paying IT certifications of 2022. Expert professionals with a CISA certification can earn an average annual salary of $ 142,336.58, representing a 5% increase from 2021.

A report by the Institute of Internal Auditors (IAA) shows that individuals with a CISA certification earned significantly more than those without one. It showed that those with the CISA certification earned an average of $105,000, while those without earned an average of $65,000.

The location, employer, and position significantly impact an individual’s salary with CISA certification. For instance, CISA experts who work in cities and developed countries earn slightly more than their developing country counterparts in the same position.

CISA experts in an entry-level position can command an average annual salary of $60,000, while experienced, high-level positions earn an average yearly salary of $175,000. An over 50% wage difference between an entry-level and senior position. Similarly, the gap between an entry-level and a junior-level position is also high representing a salary gap of almost 30%. Junior-level positions earn an average annual salary of $75,000.

Entry-level positions in a medium-sized company can earn an average annual salary of $57,000, while those in large companies can earn an average yearly wage of $63,000. This is an 8% wage difference, depending on the employer. 

Additionally, career paths can affect an individual’s salary. For instance, according to PayScale, senior information technology auditors earn an annual average salary of $88,933, information technology auditors earn $77,783, information security managers earn $126,487, chief information security officers earn $183,467, information systems audit managers earn $114,885, internal audit directors earn $145,005, and information security analysts earn $94,256.

See More: How To Prepare For the CCNA Certification Exam

CISA Jobs In 2022

CISA holders are equipped with the required knowledge, skills and expertise to identify and manage security vulnerabilities, assess the compliance of processes and products, and implement solutions to rectify any detected risks. In a job recruitment process, a CISA certification holder gets more recognition and has higher visibility when compared to their peers. The following are examples of jobs that an individual can get with a CISA certification:

1. Information technology (IT) auditor

IT auditors use technology to protect an organization’s data and internal controls. They are tasked with safekeeping sensitive information, identifying vulnerabilities in the network, and implementing strategies to prevent security breaches. CISA provides IT auditors with analytical skills to effectively carry out their mandates. They earn an average annual wage of $77,783. 

2. Senior information security (IS) auditor

IS auditors work with an organization’s security system. They monitor the efficiency of this system. CISA certification helps IS auditors to gain the necessary skills to effectively carry out their duties and even may help them get promoted to information security managers. They earn an average annual wage of $94,483.

3. Internal audit manager

Internal audit managers have ensured that the organization’s processes comply with its strategies and objectives. They also conduct risk assessments and create plans to monitor auditing reports. A CISA certification can quantify internal audit managers’ analytics and communication skills. They earn an average annual wage of $107,621.

4. Internal audit director

Internal audit directors are proficient in auditing and accounting. They supervise their personnel to ensure compliance with procedures and processes to meet organization objectives. CISA certification certifies the internal audit directors’ knowledge and skills in information systems. They earn an average annual wage of $145,005.

5. Risk analyst

Risk analysts or even cybersecurity analysts are tasked with identifying and minimizing risk. They are responsible for observing an organization’s process to identify sectors that pose a threat, after which they offer solutions for addressing the risk to minimize its possible impact on the organization. They earn an annual average wage of $93,830.

6. Data protection manager

Data protection managers often work with data owners to identify sensitive data and verify that enough controls are in place to protect that data. They are also responsible for ensuring that data is handled and protected in compliance with applicable data protection laws. They earn an average annual wage of $ 83,065.

7. Security officers

Security officers are tasked with managing an organization’s security and providing guidance. A CISA certification improves the knowledge of these security officers regarding auditing risk and compliance to ensure that persons in their organization follow the best practices and processes. They earn an average annual wage of $110,800.

8. Compliance analyst

Compliance analysts work with compliance programs. They review and implement policies and procedures to meet compliance requirements. They also ensure that organizations comply with other programs to meet their objectives and strategies. These programs include the health insurance portability and accountability act, the general data protection regulation, and the payment card industry data security standard. They earn an annual average wage of $84,689.

See More: CompTIA Security+ or GISF: Which Certification Should an InfoSec Beginner Choose?


CISA is among the most prestigious IT audit certifications in the world. It is approved by the American National Standards Institute (ANSI) and is recognized by many other nations. As enterprises embrace digital transformation, they need to manage systems using the right governance measures to make the IT landscape genuinely sustainable. CISA-certified professionals can help strengthen and protect IT infrastructure, making them among the most in-demand roles today. 

Did you find this article helpful in your journey toward achieving CISA certification? Tell us on Facebook, Twitter, and LinkedIn. We’d love to hear from you! 



Leave a Reply

Your email address will not be published. Required fields are marked *